Session may be extended indefinitely

[sevdog]

Since qsessions uses a custom session object which is altered every time User-Agent or IP change there is a side-effect due to how base Django session engine works.

Upon save session engine changes expiry date by calling get_expiry_date (which without any arguments just extends session duration by its maximum length).

If, by any reason, a user with an active session changes User-Agent (ie: automatic updates) or IP (ie: dynamic IP) more frequently than configured session duration the session will never expire since it is saved upon every change.

[triopter]

Don't core Django sessions do the same thing?